Skip to content

crypto/tls: make checkForResumption side-effect free #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
SparrowLii wants to merge 1 commit into
base: master
Choose a base branch
from
Open

crypto/tls: make checkForResumption side-effect free #3

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 15 additions & 13 deletions src/crypto/tls/handshake_server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -357,26 +357,26 @@ func (hs *serverHandshakeState) checkForResumption() bool {
if plaintext == nil {
return false
}
hs.sessionState = &sessionState{usedOldKey: usedOldKey}
ok := hs.sessionState.unmarshal(plaintext)
clientSessionState := &sessionState{usedOldKey: usedOldKey}
ok := clientSessionState.unmarshal(plaintext)
if !ok {
return false
}

createdAt := time.Unix(int64(hs.sessionState.createdAt), 0)
createdAt := time.Unix(int64(clientSessionState.createdAt), 0)
if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
return false
}

// Never resume a session for a different TLS version.
if c.vers != hs.sessionState.vers {
if c.vers != clientSessionState.vers {
return false
}

cipherSuiteOk := false
// Check that the client is still offering the ciphersuite in the session.
for _, id := range hs.clientHello.cipherSuites {
if id == hs.sessionState.cipherSuite {
if id == clientSessionState.cipherSuite {
cipherSuiteOk = true
break
}
Expand All @@ -385,14 +385,7 @@ func (hs *serverHandshakeState) checkForResumption() bool {
return false
}

// Check that we also support the ciphersuite from the session.
hs.suite = selectCipherSuite([]uint16{hs.sessionState.cipherSuite},
c.config.cipherSuites(), hs.cipherSuiteOk)
if hs.suite == nil {
return false
}

sessionHasClientCerts := len(hs.sessionState.certificates) != 0
sessionHasClientCerts := len(clientSessionState.certificates) != 0
needClientCerts := requiresClientCert(c.config.ClientAuth)
if needClientCerts && !sessionHasClientCerts {
return false
Expand All @@ -401,6 +394,15 @@ func (hs *serverHandshakeState) checkForResumption() bool {
return false
}

// Check that we also support the ciphersuite from the session.
Copy link
Copy Markdown

@surechen surechen Jul 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这里改动代码顺序有影响吗?

Copy link
Copy Markdown
Author

@SparrowLii SparrowLii Jul 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

有影响,这样做避免了给hs.suite赋值以后,之后的函数语句又返回了false结果,导致suite维护了一个无用的值。保持了函数的side-effect free。

hs.suite = selectCipherSuite([]uint16{clientSessionState.cipherSuite},
Copy link
Copy Markdown

@surechen surechen Jul 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

看起来似乎还是存在hs.suite被赋值,但是最终返回false的情况

Copy link
Copy Markdown
Author

@SparrowLii SparrowLii Jul 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这种情况下只可能是suite==nil,然后返回false,表示没有找到合适的加解密工具版本。suite之前就是nil,没有变化

c.config.cipherSuites(), hs.cipherSuiteOk)
if hs.suite == nil {
return false
}

hs.sessionState = clientSessionState

return true
}

Expand Down